encapsulate signer (#3576)

Signed-off-by: Richard Pringle <[email protected]>
ava-labs · Dec 9, 2024 · 1dc4192 · 1dc4192
1 parent f9d5d20
commit 1dc4192
Show file tree

Hide file tree

Showing 57 changed files with 363 additions and 364 deletions.
diff --git a/chains/manager.go b/chains/manager.go
@@ -186,7 +186,7 @@ type ManagerConfig struct {
 	SybilProtectionEnabled bool
 	StakingTLSSigner       crypto.Signer
 	StakingTLSCert         *staking.Certificate
-	StakingBLSKey          *bls.SecretKey
+	StakingBLSKey          bls.Signer
 	TracingEnabled         bool
 	// Must not be used unless [TracingEnabled] is true as this may be nil.
 	Tracer                    trace.Tracer
@@ -497,7 +497,7 @@ func (m *manager) buildChain(chainParams ChainParameters, sb subnets.Subnet) (*c
 			SubnetID:        chainParams.SubnetID,
 			ChainID:         chainParams.ID,
 			NodeID:          m.NodeID,
-			PublicKey:       bls.PublicFromSecretKey(m.StakingBLSKey),
+			PublicKey:       m.StakingBLSKey.PublicKey(),
 			NetworkUpgrades: m.Upgrades,
 
 			XChainID:    m.XChainID,

diff --git a/config/config.go b/config/config.go
@@ -645,9 +645,9 @@ func getStakingTLSCert(v *viper.Viper) (tls.Certificate, error) {
 	}
 }
 
-func getStakingSigner(v *viper.Viper) (*bls.SecretKey, error) {
+func getStakingSigner(v *viper.Viper) (bls.Signer, error) {
 	if v.GetBool(StakingEphemeralSignerEnabledKey) {
-		key, err := bls.NewSecretKey()
+		key, err := bls.NewSigner()
 		if err != nil {
 			return nil, fmt.Errorf("couldn't generate ephemeral signing key: %w", err)
 		}
@@ -685,7 +685,7 @@ func getStakingSigner(v *viper.Viper) (*bls.SecretKey, error) {
 		return nil, errMissingStakingSigningKeyFile
 	}
 
-	key, err := bls.NewSecretKey()
+	key, err := bls.NewSigner()
 	if err != nil {
 		return nil, fmt.Errorf("couldn't generate new signing key: %w", err)
 	}
@@ -694,7 +694,7 @@ func getStakingSigner(v *viper.Viper) (*bls.SecretKey, error) {
 		return nil, fmt.Errorf("couldn't create path for signing key at %s: %w", signingKeyPath, err)
 	}
 
-	keyBytes := bls.SecretKeyToBytes(key)
+	keyBytes := key.ToBytes()
 	if err := os.WriteFile(signingKeyPath, keyBytes, perms.ReadWrite); err != nil {
 		return nil, fmt.Errorf("couldn't write new signing key to %s: %w", signingKeyPath, err)
 	}

diff --git a/go.mod b/go.mod
@@ -10,7 +10,7 @@ require (
 	github.com/DataDog/zstd v1.5.2
 	github.com/NYTimes/gziphandler v1.1.1
 	github.com/antithesishq/antithesis-sdk-go v0.3.8
-	github.com/ava-labs/coreth v0.13.9-rc.1
+	github.com/ava-labs/coreth v0.13.9-rc.2-encapsulate-signer
 	github.com/ava-labs/ledger-avalanche/go v0.0.0-20241009183145-e6f90a8a1a60
 	github.com/btcsuite/btcd/btcutil v1.1.3
 	github.com/cockroachdb/pebble v0.0.0-20230928194634-aa077af62593

diff --git a/go.sum b/go.sum
@@ -64,8 +64,8 @@ github.com/antithesishq/antithesis-sdk-go v0.3.8/go.mod h1:IUpT2DPAKh6i/YhSbt6Gl
 github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
-github.com/ava-labs/coreth v0.13.9-rc.1 h1:qIICpC/OZGYUP37QnLgIqqwGmxnLwLpZaUlqJNI85vU=
-github.com/ava-labs/coreth v0.13.9-rc.1/go.mod h1:7aMsRIo/3GBE44qWZMjnfqdqfcfZ5yShTTm2LObLaYo=
+github.com/ava-labs/coreth v0.13.9-rc.2-encapsulate-signer h1:mRB03tLPUvgNko4nP4VwWQdiHeHaLHtdwsnqwxrsGec=
+github.com/ava-labs/coreth v0.13.9-rc.2-encapsulate-signer/go.mod h1:tqRAe+7bGLo2Rq/Ph4iYMSch72ag/Jn0DiDMDz1Xa9E=
 github.com/ava-labs/ledger-avalanche/go v0.0.0-20241009183145-e6f90a8a1a60 h1:EL66gtXOAwR/4KYBjOV03LTWgkEXvLePribLlJNu4g0=
 github.com/ava-labs/ledger-avalanche/go v0.0.0-20241009183145-e6f90a8a1a60/go.mod h1:/7qKobTfbzBu7eSTVaXMTr56yTYk4j2Px6/8G+idxHo=
 github.com/aymerick/raymond v2.0.3-0.20180322193309-b565731e1464+incompatible/go.mod h1:osfaiScAUVup+UC9Nfq76eWqDhXlp+4UYaA8uhTBO6g=

diff --git a/network/config.go b/network/config.go
@@ -128,7 +128,7 @@ type Config struct {
 	// TLSKey is this node's TLS key that is used to sign IPs.
 	TLSKey crypto.Signer `json:"-"`
 	// BLSKey is this node's BLS key that is used to sign IPs.
-	BLSKey *bls.SecretKey `json:"-"`
+	BLSKey bls.Signer `json:"-"`
 
 	// TrackedSubnets of the node.
 	// It must not include the primary network ID.

diff --git a/network/network_test.go b/network/network_test.go
@@ -175,7 +175,7 @@ func newTestNetwork(t *testing.T, count int) (*testDialer, []*testListener, []id
 		require.NoError(t, err)
 		nodeID := ids.NodeIDFromCert(cert)
 
-		blsKey, err := bls.NewSecretKey()
+		blsKey, err := bls.NewSigner()
 		require.NoError(t, err)
 
 		config := defaultConfig

diff --git a/network/p2p/acp118/handler_test.go b/network/p2p/acp118/handler_test.go
@@ -72,9 +72,9 @@ func TestHandler(t *testing.T) {
 			require := require.New(t)
 
 			ctx := context.Background()
-			sk, err := bls.NewSecretKey()
+			sk, err := bls.NewSigner()
 			require.NoError(err)
-			pk := bls.PublicFromSecretKey(sk)
+			pk := sk.PublicKey()
 			networkID := uint32(123)
 			chainID := ids.GenerateTestID()
 			signer := warp.NewSigner(sk, networkID, chainID)

diff --git a/network/peer/ip.go b/network/peer/ip.go
@@ -32,14 +32,14 @@ type UnsignedIP struct {
 }
 
 // Sign this IP with the provided signer and return the signed IP.
-func (ip *UnsignedIP) Sign(tlsSigner crypto.Signer, blsSigner *bls.SecretKey) (*SignedIP, error) {
+func (ip *UnsignedIP) Sign(tlsSigner crypto.Signer, blsSigner bls.Signer) (*SignedIP, error) {
 	ipBytes := ip.bytes()
 	tlsSignature, err := tlsSigner.Sign(
 		rand.Reader,
 		hashing.ComputeHash256(ipBytes),
 		crypto.SHA256,
 	)
-	blsSignature := bls.SignProofOfPossession(blsSigner, ipBytes)
+	blsSignature := blsSigner.SignProofOfPossession(ipBytes)
 	return &SignedIP{
 		UnsignedIP:        *ip,
 		TLSSignature:      tlsSignature,

diff --git a/network/peer/ip_signer.go b/network/peer/ip_signer.go
@@ -18,7 +18,7 @@ type IPSigner struct {
 	ip        *utils.Atomic[netip.AddrPort]
 	clock     mockable.Clock
 	tlsSigner crypto.Signer
-	blsSigner *bls.SecretKey
+	blsSigner bls.Signer
 
 	// Must be held while accessing [signedIP]
 	signedIPLock sync.RWMutex
@@ -30,7 +30,7 @@ type IPSigner struct {
 func NewIPSigner(
 	ip *utils.Atomic[netip.AddrPort],
 	tlsSigner crypto.Signer,
-	blsSigner *bls.SecretKey,
+	blsSigner bls.Signer,
 ) *IPSigner {
 	return &IPSigner{
 		ip:        ip,

diff --git a/network/peer/ip_signer_test.go b/network/peer/ip_signer_test.go
@@ -28,7 +28,7 @@ func TestIPSigner(t *testing.T) {
 	require.NoError(err)
 
 	tlsKey := tlsCert.PrivateKey.(crypto.Signer)
-	blsKey, err := bls.NewSecretKey()
+	blsKey, err := bls.NewSigner()
 	require.NoError(err)
 
 	s := NewIPSigner(dynIP, tlsKey, blsKey)

diff --git a/network/peer/ip_test.go b/network/peer/ip_test.go
@@ -21,7 +21,7 @@ func TestSignedIpVerify(t *testing.T) {
 	cert1, err := staking.ParseCertificate(tlsCert1.Leaf.Raw)
 	require.NoError(t, err)
 	tlsKey1 := tlsCert1.PrivateKey.(crypto.Signer)
-	blsKey1, err := bls.NewSecretKey()
+	blsKey1, err := bls.NewSigner()
 	require.NoError(t, err)
 
 	tlsCert2, err := staking.NewTLSCert()
@@ -38,7 +38,7 @@ func TestSignedIpVerify(t *testing.T) {
 	type test struct {
 		name         string
 		tlsSigner    crypto.Signer
-		blsSigner    *bls.SecretKey
+		blsSigner    bls.Signer
 		expectedCert *staking.Certificate
 		ip           UnsignedIP
 		maxTimestamp time.Time

diff --git a/network/peer/peer_test.go b/network/peer/peer_test.go
@@ -111,7 +111,7 @@ func newRawTestPeer(t *testing.T, config Config) *rawTestPeer {
 		1,
 	))
 	tls := tlsCert.PrivateKey.(crypto.Signer)
-	bls, err := bls.NewSecretKey()
+	bls, err := bls.NewSigner()
 	require.NoError(err)
 
 	config.IPSigner = NewIPSigner(ip, tls, bls)
@@ -322,17 +322,17 @@ func TestInvalidBLSKeyDisconnects(t *testing.T) {
 	require.NoError(rawPeer0.config.Validators.AddStaker(
 		constants.PrimaryNetworkID,
 		rawPeer1.config.MyNodeID,
-		bls.PublicFromSecretKey(rawPeer1.config.IPSigner.blsSigner),
+		rawPeer1.config.IPSigner.blsSigner.PublicKey(),
 		ids.GenerateTestID(),
 		1,
 	))
 
-	bogusBLSKey, err := bls.NewSecretKey()
+	bogusBLSKey, err := bls.NewSigner()
 	require.NoError(err)
 	require.NoError(rawPeer1.config.Validators.AddStaker(
 		constants.PrimaryNetworkID,
 		rawPeer0.config.MyNodeID,
-		bls.PublicFromSecretKey(bogusBLSKey), // This is the wrong BLS key for this peer
+		bogusBLSKey.PublicKey(), // This is the wrong BLS key for this peer
 		ids.GenerateTestID(),
 		1,
 	))
@@ -348,7 +348,7 @@ func TestInvalidBLSKeyDisconnects(t *testing.T) {
 func TestShouldDisconnect(t *testing.T) {
 	peerID := ids.GenerateTestNodeID()
 	txID := ids.GenerateTestID()
-	blsKey, err := bls.NewSecretKey()
+	blsKey, err := bls.NewSigner()
 	require.NoError(t, err)
 
 	tests := []struct {
@@ -458,7 +458,7 @@ func TestShouldDisconnect(t *testing.T) {
 						require.NoError(t, vdrs.AddStaker(
 							constants.PrimaryNetworkID,
 							peerID,
-							bls.PublicFromSecretKey(blsKey),
+							blsKey.PublicKey(),
 							txID,
 							1,
 						))
@@ -478,7 +478,7 @@ func TestShouldDisconnect(t *testing.T) {
 						require.NoError(t, vdrs.AddStaker(
 							constants.PrimaryNetworkID,
 							peerID,
-							bls.PublicFromSecretKey(blsKey),
+							blsKey.PublicKey(),
 							txID,
 							1,
 						))
@@ -502,7 +502,7 @@ func TestShouldDisconnect(t *testing.T) {
 						require.NoError(t, vdrs.AddStaker(
 							constants.PrimaryNetworkID,
 							peerID,
-							bls.PublicFromSecretKey(blsKey),
+							blsKey.PublicKey(),
 							txID,
 							1,
 						))
@@ -522,7 +522,7 @@ func TestShouldDisconnect(t *testing.T) {
 						require.NoError(t, vdrs.AddStaker(
 							constants.PrimaryNetworkID,
 							peerID,
-							bls.PublicFromSecretKey(blsKey),
+							blsKey.PublicKey(),
 							txID,
 							1,
 						))
@@ -546,7 +546,7 @@ func TestShouldDisconnect(t *testing.T) {
 						require.NoError(t, vdrs.AddStaker(
 							constants.PrimaryNetworkID,
 							peerID,
-							bls.PublicFromSecretKey(blsKey),
+							blsKey.PublicKey(),
 							txID,
 							1,
 						))
@@ -556,7 +556,7 @@ func TestShouldDisconnect(t *testing.T) {
 				id:      peerID,
 				version: version.CurrentApp,
 				ip: &SignedIP{
-					BLSSignature: bls.SignProofOfPossession(blsKey, []byte("wrong message")),
+					BLSSignature: blsKey.SignProofOfPossession([]byte("wrong message")),
 				},
 			},
 			expectedPeer: &peer{
@@ -568,7 +568,7 @@ func TestShouldDisconnect(t *testing.T) {
 						require.NoError(t, vdrs.AddStaker(
 							constants.PrimaryNetworkID,
 							peerID,
-							bls.PublicFromSecretKey(blsKey),
+							blsKey.PublicKey(),
 							txID,
 							1,
 						))
@@ -578,7 +578,7 @@ func TestShouldDisconnect(t *testing.T) {
 				id:      peerID,
 				version: version.CurrentApp,
 				ip: &SignedIP{
-					BLSSignature: bls.SignProofOfPossession(blsKey, []byte("wrong message")),
+					BLSSignature: blsKey.SignProofOfPossession([]byte("wrong message")),
 				},
 			},
 			expectedShouldDisconnect: true,
@@ -594,7 +594,7 @@ func TestShouldDisconnect(t *testing.T) {
 						require.NoError(t, vdrs.AddStaker(
 							constants.PrimaryNetworkID,
 							peerID,
-							bls.PublicFromSecretKey(blsKey),
+							blsKey.PublicKey(),
 							txID,
 							1,
 						))
@@ -604,7 +604,7 @@ func TestShouldDisconnect(t *testing.T) {
 				id:      peerID,
 				version: version.CurrentApp,
 				ip: &SignedIP{
-					BLSSignature: bls.SignProofOfPossession(blsKey, (&UnsignedIP{}).bytes()),
+					BLSSignature: blsKey.SignProofOfPossession((&UnsignedIP{}).bytes()),
 				},
 			},
 			expectedPeer: &peer{
@@ -616,7 +616,7 @@ func TestShouldDisconnect(t *testing.T) {
 						require.NoError(t, vdrs.AddStaker(
 							constants.PrimaryNetworkID,
 							peerID,
-							bls.PublicFromSecretKey(blsKey),
+							blsKey.PublicKey(),
 							txID,
 							1,
 						))
@@ -626,7 +626,7 @@ func TestShouldDisconnect(t *testing.T) {
 				id:      peerID,
 				version: version.CurrentApp,
 				ip: &SignedIP{
-					BLSSignature: bls.SignProofOfPossession(blsKey, (&UnsignedIP{}).bytes()),
+					BLSSignature: blsKey.SignProofOfPossession((&UnsignedIP{}).bytes()),
 				},
 				txIDOfVerifiedBLSKey: txID,
 			},

diff --git a/network/peer/test_peer.go b/network/peer/test_peer.go
@@ -101,7 +101,7 @@ func StartTestPeer(
 	}
 
 	tlsKey := tlsCert.PrivateKey.(crypto.Signer)
-	blsKey, err := bls.NewSecretKey()
+	blsKey, err := bls.NewSigner()
 	if err != nil {
 		return nil, err
 	}

diff --git a/network/test_network.go b/network/test_network.go
@@ -84,7 +84,7 @@ func NewTestNetworkConfig(
 		return nil, err
 	}
 
-	blsKey, err := bls.NewSecretKey()
+	blsKey, err := bls.NewSigner()
 	if err != nil {
 		return nil, err
 	}

diff --git a/node/config.go b/node/config.go
@@ -77,7 +77,7 @@ type StakingConfig struct {
 	SybilProtectionEnabled        bool            `json:"sybilProtectionEnabled"`
 	PartialSyncPrimaryNetwork     bool            `json:"partialSyncPrimaryNetwork"`
 	StakingTLSCert                tls.Certificate `json:"-"`
-	StakingSigningKey             *bls.SecretKey  `json:"-"`
+	StakingSigningKey             bls.Signer      `json:"-"`
 	SybilProtectionDisabledWeight uint64          `json:"sybilProtectionDisabledWeight"`
 	StakingKeyPath                string          `json:"stakingKeyPath"`
 	StakingCertPath               string          `json:"stakingCertPath"`

diff --git a/node/node.go b/node/node.go
@@ -60,7 +60,6 @@ import (
 	"github.com/ava-labs/avalanchego/trace"
 	"github.com/ava-labs/avalanchego/utils"
 	"github.com/ava-labs/avalanchego/utils/constants"
-	"github.com/ava-labs/avalanchego/utils/crypto/bls"
 	"github.com/ava-labs/avalanchego/utils/dynamicip"
 	"github.com/ava-labs/avalanchego/utils/filesystem"
 	"github.com/ava-labs/avalanchego/utils/hashing"
@@ -583,7 +582,7 @@ func (n *Node) initNetworking(reg prometheus.Registerer) error {
 		err := n.vdrs.AddStaker(
 			constants.PrimaryNetworkID,
 			n.ID,
-			bls.PublicFromSecretKey(n.Config.StakingSigningKey),
+			n.Config.StakingSigningKey.PublicKey(),
 			dummyTxID,
 			n.Config.SybilProtectionDisabledWeight,
 		)

diff --git a/snow/snowtest/context.go b/snow/snowtest/context.go
@@ -52,9 +52,9 @@ func ConsensusContext(ctx *snow.Context) *snow.ConsensusContext {
 func Context(tb testing.TB, chainID ids.ID) *snow.Context {
 	require := require.New(tb)
 
-	secretKey, err := bls.NewSecretKey()
+	secretKey, err := bls.NewSigner()
 	require.NoError(err)
-	publicKey := bls.PublicFromSecretKey(secretKey)
+	publicKey := secretKey.PublicKey()
 
 	aliaser := ids.NewAliaser()
 	require.NoError(aliaser.Alias(constants.PlatformChainID, "P"))